Analysis
-
max time kernel
64s -
max time network
65s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 06:38
Static task
static1
Behavioral task
behavioral1
Sample
MV TBN CALL PORT FOR LOADING COAL_pdf.exe
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
MV TBN CALL PORT FOR LOADING COAL_pdf.exe
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
MV TBN CALL PORT FOR LOADING COAL_pdf.exe
-
Size
527KB
-
MD5
aa683fc072f3ae7d3746555ad0d2fa86
-
SHA1
6e3a1234cfc5658c9da297cba29d5869b7d48906
-
SHA256
5f26ec6a89a14aedcee85883d41d5ca81a2ba2a7c99ec464abaa5bd63b6cbe1b
-
SHA512
ca3733205d1606e6d981f89a6b312bfedc00e2195e947729108d0c0d32b75b6d9a7794e7a29663baee12d7a5e64c13ee588edf70274a9697081cbc6e7292b0dd
Score
6/10
Malware Config
Signatures
-
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
MV TBN CALL PORT FOR LOADING COAL_pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\QHqFoFvd = "C:\\Users\\Admin\\AppData\\Roaming\\hFqxlHG\\afPZt.exe" MV TBN CALL PORT FOR LOADING COAL_pdf.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
MV TBN CALL PORT FOR LOADING COAL_pdf.exedescription pid process target process PID 1124 wrote to memory of 1512 1124 MV TBN CALL PORT FOR LOADING COAL_pdf.exe MV TBN CALL PORT FOR LOADING COAL_pdf.exe PID 1124 wrote to memory of 1512 1124 MV TBN CALL PORT FOR LOADING COAL_pdf.exe MV TBN CALL PORT FOR LOADING COAL_pdf.exe PID 1124 wrote to memory of 1512 1124 MV TBN CALL PORT FOR LOADING COAL_pdf.exe MV TBN CALL PORT FOR LOADING COAL_pdf.exe PID 1124 wrote to memory of 1512 1124 MV TBN CALL PORT FOR LOADING COAL_pdf.exe MV TBN CALL PORT FOR LOADING COAL_pdf.exe PID 1124 wrote to memory of 1596 1124 MV TBN CALL PORT FOR LOADING COAL_pdf.exe MV TBN CALL PORT FOR LOADING COAL_pdf.exe PID 1124 wrote to memory of 1596 1124 MV TBN CALL PORT FOR LOADING COAL_pdf.exe MV TBN CALL PORT FOR LOADING COAL_pdf.exe PID 1124 wrote to memory of 1596 1124 MV TBN CALL PORT FOR LOADING COAL_pdf.exe MV TBN CALL PORT FOR LOADING COAL_pdf.exe PID 1124 wrote to memory of 1596 1124 MV TBN CALL PORT FOR LOADING COAL_pdf.exe MV TBN CALL PORT FOR LOADING COAL_pdf.exe PID 1124 wrote to memory of 1596 1124 MV TBN CALL PORT FOR LOADING COAL_pdf.exe MV TBN CALL PORT FOR LOADING COAL_pdf.exe PID 1124 wrote to memory of 1596 1124 MV TBN CALL PORT FOR LOADING COAL_pdf.exe MV TBN CALL PORT FOR LOADING COAL_pdf.exe PID 1124 wrote to memory of 1596 1124 MV TBN CALL PORT FOR LOADING COAL_pdf.exe MV TBN CALL PORT FOR LOADING COAL_pdf.exe PID 1124 wrote to memory of 1596 1124 MV TBN CALL PORT FOR LOADING COAL_pdf.exe MV TBN CALL PORT FOR LOADING COAL_pdf.exe PID 1124 wrote to memory of 1596 1124 MV TBN CALL PORT FOR LOADING COAL_pdf.exe MV TBN CALL PORT FOR LOADING COAL_pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
MV TBN CALL PORT FOR LOADING COAL_pdf.exeMV TBN CALL PORT FOR LOADING COAL_pdf.exedescription pid process Token: SeDebugPrivilege 1124 MV TBN CALL PORT FOR LOADING COAL_pdf.exe Token: SeDebugPrivilege 1596 MV TBN CALL PORT FOR LOADING COAL_pdf.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
MV TBN CALL PORT FOR LOADING COAL_pdf.exeMV TBN CALL PORT FOR LOADING COAL_pdf.exepid process 1124 MV TBN CALL PORT FOR LOADING COAL_pdf.exe 1596 MV TBN CALL PORT FOR LOADING COAL_pdf.exe 1596 MV TBN CALL PORT FOR LOADING COAL_pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MV TBN CALL PORT FOR LOADING COAL_pdf.exedescription pid process target process PID 1124 set thread context of 1596 1124 MV TBN CALL PORT FOR LOADING COAL_pdf.exe MV TBN CALL PORT FOR LOADING COAL_pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MV TBN CALL PORT FOR LOADING COAL_pdf.exe"C:\Users\Admin\AppData\Local\Temp\MV TBN CALL PORT FOR LOADING COAL_pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\MV TBN CALL PORT FOR LOADING COAL_pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\MV TBN CALL PORT FOR LOADING COAL_pdf.exe"{path}"2⤵
- Adds Run entry to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1124-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1596-2-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1596-3-0x000000000044A6FE-mapping.dmp
-
memory/1596-4-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1596-5-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB